go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/analysis/rpc/decorator.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/analysis/rpc/decorator.go (about)

     1  // Copyright 2022 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package rpc
    16  
    17  import (
    18  	"context"
    19  
    20  	"github.com/golang/protobuf/proto"
    21  	"google.golang.org/grpc/codes"
    22  
    23  	"go.chromium.org/luci/common/errors"
    24  	"go.chromium.org/luci/grpc/appstatus"
    25  	"go.chromium.org/luci/server/auth"
    26  )
    27  
    28  const luciAnalysisAccessGroup = "luci-analysis-access"
    29  
    30  // auditUsersAccessGroup is the group which contains people authorised
    31  // to see the details of the user who last created/modified entities.
    32  const auditUsersAccessGroup = "googlers"
    33  
    34  const googlerOnlyGroup = "googlers"
    35  
    36  const luciAnalysisAdminGroup = "service-luci-analysis-admins"
    37  
    38  // Checks if this call is allowed, returns an error if it is.
    39  func checkAllowedPrelude(ctx context.Context, methodName string, req proto.Message) (context.Context, error) {
    40  	if err := checkAllowed(ctx, luciAnalysisAccessGroup); err != nil {
    41  		return ctx, err
    42  	}
    43  	return ctx, nil
    44  }
    45  
    46  func checkAllowedAdminPrelude(ctx context.Context, methodName string, req proto.Message) (context.Context, error) {
    47  	if err := checkAllowed(ctx, luciAnalysisAdminGroup); err != nil {
    48  		return ctx, err
    49  	}
    50  	return ctx, nil
    51  }
    52  
    53  // Logs and converts the errors to GRPC type errors.
    54  func gRPCifyAndLogPostlude(ctx context.Context, methodName string, rsp proto.Message, err error) error {
    55  	return appstatus.GRPCifyAndLog(ctx, err)
    56  }
    57  
    58  func checkAllowed(ctx context.Context, allowedGroup string) error {
    59  	switch yes, err := auth.IsMember(ctx, allowedGroup); {
    60  	case err != nil:
    61  		return errors.Annotate(err, "failed to check ACL").Err()
    62  	case !yes:
    63  		return appstatus.Errorf(codes.PermissionDenied, "not a member of %s", allowedGroup)
    64  	default:
    65  		return nil
    66  	}
    67  }